Re: [pve-devel] [PATCH pve-storage/pve-manager v3 0/4] fix #623: show isos/vztmpl/snippets in subdirs

From: "Fabian Grünbichler" <f.gruenbichler@proxmox.com>
To: Proxmox VE development discussion <pve-devel@lists.proxmox.com>
Subject: Re: [pve-devel] [PATCH pve-storage/pve-manager v3 0/4] fix #623: show isos/vztmpl/snippets in subdirs
Date: Fri, 14 Jul 2023 13:40:23 +0200	[thread overview]
Message-ID: <1689334028.ni4oeuf61z.astroid@yuna.none> (raw)
In-Reply-To: <20230615120329.28764-1-n.ullreich@proxmox.com>

On June 15, 2023 2:03 pm, Noel Ullreich wrote:
> This patch fixes #623, allowing isos/vztmpl/snippets in subdirectories.
> This feature is opt-in and can be set from the API, web interface or
> with `pvesm`.
> 
> I addressed the security concerns raised by Fabian, now parent
> directories in the path (i.e. `/my/path/../somewhere/`) are forbidded.
> I have kept the permission to use symlinks, however, if this is a
> security issue, symlinks can easily be forbidden as well. This,
> however, would be a breaking change.

w.r.t. the symlinks:

symlinks are (still) allowed for the files themselves, which is okay.
what is a bit strange is that the "size" of a symlinked iso is that of
the symlink, not of the target, i.e., it depends on the name length
instead of the content size ;)

symlinks are not allowed (or rather, ignored) for the intermediate
components, which I guess would be one of the main use cases for
symlinks in the first place? having to link each file separately seems
tedious..

I tried to think about possible "bad" scenarios with symlinked subdirs,
but all of them are applicable to symlinked files as well and either
- require direct write access to the storage directory hierarchy to
  allow the creation of "dangerous" symlinks (not exposed over the API)
- an attacker-controlled host-mounted subvol that is mounted below the
  iso/template/.. content dir (which is actually a variant of the above
  I guess)

with the size and dir parts addressed, and the small nit I noted inline
with patch #1, consider this

Reviewed-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>

unless somebody comes up with a symlink-related attack scenario that
would be exploitable on a regular PVE setup which I missed, of course ;)

> parts of the tests as well as the regex for checking, if a `/../` is in
> the path have been taken and/or adapted from an older patch that was
> never merged:
> https://lists.proxmox.com/pipermail/pve-devel/2020-May/043622.html
> 
> This is a complete rework from v1, so I don't see a point in writing
> what the differences are. It's all different.
> 
> ----
> changes from v2:
> * rebased so that applying with new structure in pve-storage works 
> (/PVE was moved to /src/PVE/)
> * fixed the path of the volid for snippets in Pluggin.pm (thanks @Markus)
> 
> Noel Ullreich (4):
> 
> pve-storage:
>   recursively go through subdirs to find files
>   add `subdir-depth` option to filesystems
>   update test for recursive subdir search
> 
>  src/PVE/Storage.pm                 |  7 +++
>  src/PVE/Storage/CIFSPlugin.pm      |  1 +
>  src/PVE/Storage/CephFSPlugin.pm    |  1 +
>  src/PVE/Storage/DirPlugin.pm       |  1 +
>  src/PVE/Storage/GlusterfsPlugin.pm |  1 +
>  src/PVE/Storage/NFSPlugin.pm       |  1 +
>  src/PVE/Storage/Plugin.pm          | 63 +++++++++++++++++----------
>  src/test/filesystem_path_test.pm   | 18 ++++++++
>  src/test/list_volumes_test.pm      | 68 ++++++++++++++++++++++++++++++
>  src/test/parse_volname_test.pm     | 40 ++++++++++++++++++
>  10 files changed, 179 insertions(+), 22 deletions(-)
> 
> pve-manager:
>  www/manager6/storage/Base.js | 11 +++++++++++
>  1 file changed, 11 insertions(+)
> -- 
> 2.30.2
> 
> 
> 
> _______________________________________________
> pve-devel mailing list
> pve-devel@lists.proxmox.com
> https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
> 
> 
> 